Closed Bug 246097 Opened 20 years ago Closed 20 years ago

XPinstall whitelist additions [xpinstall not working]

Categories

(Core Graveyard :: Installer: XPInstall Engine, enhancement)

Product:
Core Graveyard
Component:
Installer: XPInstall Engine
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: dveditz, Assigned: dveditz)

References

Details

bug 240552 added a whitelist to XPInstall. For the Mozilla suite the point was
not to restrict functionality from friendly sites but to protect against unknown
malicious sites. Since the XPInstall confirmation dialog will still always show
up as the main security measure I'm happy adding additional mozilla developer
sites in the short term. Unfortunately I didn't get any nominations in that bug
before I fixed it, so this bug will hold those.

Long term we will have a UI solution (bug 241705).

I'll start off with www.hacksrus.com, host to the active development versions of
chatzilla and venkman. Do we want to add that one (opening it up to all members
of hacksrus, not just ginda), or figure people who want it are smart enough to
add it on their own?
Should we add bugzilla.mozilla.org to the -BLACK-list? Makes testcases harder to
deal with but too many people can add content here. Since you can't add script
to a bug comment I think you'd have to be able to add an attachment to take
advantage. But if you can add an attachment then it'd be easy. :-(
Blocks: 246122
I have a list of extensions I install with every upgrade, so here are the ones
bug 240552 affected:
<http://www.mozcafe.com/> contains additional spellchecker languages, as well as
a splash.xpi that changes the splash screen.

<http://tecwizards.de/mozilla/> contains the "paste and go" extension.

<http://3rdhand.info/mozilla/home/> contains the ever popular "Home button" add-on.

<http://cgi29.plala.or.jp/%7Emozzarel/> contains a few add-ons, like the
Bookmarks Link Checker, and the Browser Spell Checker (for text fields and web
forums)

and of course
<http://white.sakura.ne.jp/%7Epiro/xul/xul.html.en> contains many extensions,
like Tabbrowser Extension.

I've also got a small site <http://ilias.ca/>, that hosts prefsize.xpi, which
makes the preferences window resizable.
A few more:
<http://skypilot.projectit.com/> hosts the skypilot theme

<http://projectit.com/freestuff.html> hosts many themes, which seem to reside on
<http://skypilot.projectit.com/>.

<http://www.java.com/en/download/manual.jsp> Sun makes JRE available through XPI.
And of course, there's the Extensions Mirror by sboulema:

http://www.extensionsmirror.nl/

Big vote now for that one.
Yep my site deserves a entry in the list i guess ;)
Pinball and GrayModern themes for Mozilla

http://mozilla-themes.schellen.net/

Theme installation is blocked unnecessarily. Themes can't contain executable
code when installed from a jar file. Anyway, until this issue is resolved, theme
pages should be included in the whitelist.
InstallTrigger.installChrome() can install more than just skins, unfortunately,
but I agree that themes are not as dangerous as the rest. I guess it wouldn't be
too hard a change though.
My themes are located at
http://www.cs.txstate.edu/~as1130/themes/*theme_name*/theme.jar, so would adding
http://www.cs.txstate.edu/~as1130/themes/ to the whitelist be adequate?  I use a
redirection service (http://www.mozthemes.tk) that points to
http://www.cs.txstate.edu/~as1130/themes/, but I don't know if the redirection
service would mess up the XPInstall...
if my site http://www.extensionsmirror.nl/ gets added will
http://extensions.extensionsmirror.nl and http://themes.extensionsmirror.nl also
be white listed. if not please add them to the list
My theme files are located at:
http://www.tom-cat.com
http://tom-cat.com
http://www.catthief.com
http://catthief.com

I included both the root domain and the www. prefix, not knowing exactly how your whitelist is handled.
Red Cats and Curacao themes for Firefox:
http://www.bluecatsgraphics.com/

The problem with sites like http://isp.com/~member/ is that we can't whitelist
just the one member. Do we trust that a scumware vendor wouldn't be willing to
sign up for an account on one of our default whitelisted sites if that meant
they could get around the restriction on pushing their wares?

I think we need to give up on whitelisting additions, there are just too many
sites to be fair. Letting theme installs bypass the whitelist restriction will
help tremendously -- that should be step one. After that we should just get the
UI  implemented so people can easily restart blocked installs and whitelist
their own favorites.
http://white.sakura.ne.jp/~piro/xul/xul.html.en
ContextMenu Extensions
Tabbrowser Extensions
Sidebar Window for Mozilla & Netscape 7
Rewind/Fastforward Buttons + more
(kinda hard to avoid this guy :)

Chrispederick.com
User Agent Switcher
Web Developer
(web dev toolbox supreme)
For plugins, I'd suggest adding the following:

java.sun.com (Java)
java.com (Java)
parallelgraphics.com (Cortona VRML)
host.cycore.net (Cult3D)
bxwa.com (FastBid)
ipix.com (iPIX)
virtools.com (Virtools Web Player, untested and not on PluginDoc at present)

Food for thought:
iol.ie (ActiveX plugin, as much as I hate the thing)
netscape.com (tends to have interesting XPIs from time to time)

With the exception of iol.ie and netscape.com, all the sites above are vendor
sites, so the concerns in comment 14 aren't so much of an issue. In the case of
netscape.com, there have often been useful things like Flash XPIs there.
Is there a Firefox version of this bug?  
about theme installation: see Bug 246375
Not sure if this is still valid or not, but better safe than sorry, I suppose.

Future versions of GrayModern for Firefox (and probably the new Modern theme as
well) will be hosted on:

http://www.finalstar.com/
Navigation toolbar and themes for my online classes:

http://papyr.com
well, http://stud4.tuwien.ac.at/~e0225227/ would be nice... (mng xpi)

...but half of the students at tuwien can host webpages on this server. do you
trust them? :)
I wouldn't mind having my site at http://ted.mielczarek.org/code/mozilla/
whitelisted, but I get the feeling that most people install the extensions from
u.m.o anyway, so it's probably not a big deal.
Well, Firefox now has a handy UI for adding items to your own whitelist.  UMO is
now on it, but *.m.o is not (to avoid bmo).  Everyone is chipping in their
favorite extension and theme sites, but I feel that the number of white listed
sites should be pretty limited.

At some point UMO will allow authors to upload updates to their extensions and
themes.  These will be verified by "staff" before it is approved to be listed.  

In other words, I don't think the white-list needs to contain anything other
than UMO.
wontfix, instead we need a decent UI (such as the one Firefox has added) that
lets people create their own custom whitelist. See also bug 246375 (don't
require whitelisting for theme installs).
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → WONTFIX
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.